Support multiple WebAuthn challenges #84

rtheys · 2021-12-01T10:25:40Z

Hi,

I'm using Keycloak 15 with keycloak-provider 1.0.0 (also have this issue with 0.6.1).

When I configure two webauthn tokens for a user and then try to login on keycloak as that user, the dialog will show that the webauthn triggers are there, but when I press the webauthn key that was added last, it does not work. Only the first added webauthn key works.

Below are the logs on the keycloak server. The logs show login with the first-registered webauthn token. I believe the issue is with the javascript code as the response from the second-registered key does not seem to be processed.

After pressing the key as instructed by the browser, the web developer console logs the following error:

Uncaught (in promise) DOMException: An attempt was made to use an object that is not, or is no longer, usable

So I believe there's an error in the javascript code somewhere.

Regards,
Rik

2021-12-01 10:57:14,906 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-3) PrivacyIDEA SDK: Sending to /auth
2021-12-01 10:57:14,906 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-3) PrivacyIDEA SDK: username=trigger-admin
2021-12-01 10:57:14,907 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-3) PrivacyIDEA SDK: password=************************
2021-12-01 10:57:14,907 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-3) PrivacyIDEA SDK: realm=esat.kuleuven.be
2021-12-01 10:57:15,492 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-3) PrivacyIDEA SDK: Sending to /validate/triggerchallenge
2021-12-01 10:57:15,492 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-3) PrivacyIDEA SDK: user=u0045469
2021-12-01 10:57:15,492 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-3) PrivacyIDEA SDK: realm=esat.kuleuven.be
2021-12-01 10:57:15,605 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (OkHttp https://sso-test.esat.kuleuven.be/...) PrivacyIDEA SDK: /validate/triggerchallenge:
{
  "detail": {
    "attributes": {
      "hideResponseInput": true,
      "img": "static/img/FIDO-U2F-Security-Key-444x444.png",
      "webAuthnSignRequest": {
        "allowCredentials": [
          {
            "id": "teDWJ1BG-luk4QVS5o6MTi_r9XsiFb8rAfmSdIu8F6OH1p1isbgcXDH-J3iYKvBgfqnCp7mNmKQ_vkcJ_MTmxA",
            "transports": [
              "usb",
              "ble",
              "nfc",
              "internal"
            ],
            "type": "public-key"
          }
        ],
        "challenge": "D1VCRmG9CuOCvRaTv4m_lT9kcmC8A_isGtb1h6-RoLo",
        "rpId": "sso-test.esat.kuleuven.be",
        "timeout": 60000,
        "userVerification": "preferred"
      }
    },
    "message": "Please confirm with your WebAuthn token (FT FIDO), Please confirm with your WebAuthn token (Yubico U2F EE)",
    "messages": [
      "Please confirm with your WebAuthn token (FT FIDO)",
      "Please confirm with your WebAuthn token (Yubico U2F EE)"
    ],
    "multi_challenge": [
      {
        "attributes": {
          "hideResponseInput": true,
          "img": "",
          "webAuthnSignRequest": {
            "allowCredentials": [
              {
                "id": "JDs6AUjsJrdUj2VwL2filamsXHYTbuLlfwsq6OpFPnWFAlC48MWomdyghMiT8nT3Ghb-qZCpBjWQ20afs9nbfJvVQu-fDZUXkbiFZ_e9LrcseASlJ4Rcqcb0uTkZP5Pa",
                "transports": [
                  "usb",
                  "ble",
                  "nfc",
                  "internal"
                ],
                "type": "public-key"
              }
            ],
            "challenge": "D1VCRmG9CuOCvRaTv4m_lT9kcmC8A_isGtb1h6-RoLo",
            "rpId": "sso-test.esat.kuleuven.be",
            "timeout": 60000,
            "userVerification": "preferred"
          }
        },
        "message": "Please confirm with your WebAuthn token (FT FIDO)",
        "serial": "WAN0000E49C",
        "transaction_id": "06403856893216203841",
        "type": "webauthn"
      },
      {
        "attributes": {
          "hideResponseInput": true,
          "img": "static/img/FIDO-U2F-Security-Key-444x444.png",
          "webAuthnSignRequest": {
            "allowCredentials": [
              {
                "id": "teDWJ1BG-luk4QVS5o6MTi_r9XsiFb8rAfmSdIu8F6OH1p1isbgcXDH-J3iYKvBgfqnCp7mNmKQ_vkcJ_MTmxA",
                "transports": [
                  "usb",
                  "ble",
                  "nfc",
                  "internal"
                ],
                "type": "public-key"
              }
            ],
            "challenge": "D1VCRmG9CuOCvRaTv4m_lT9kcmC8A_isGtb1h6-RoLo",
            "rpId": "sso-test.esat.kuleuven.be",
            "timeout": 60000,
            "userVerification": "preferred"
          }
        },
        "message": "Please confirm with your WebAuthn token (Yubico U2F EE)",
        "serial": "WAN0001F2C0",
        "transaction_id": "06403856893216203841",
        "type": "webauthn"
      }
    ],
    "serial": "WAN0001F2C0",
    "threadid": 139932789683968,
    "transaction_id": "06403856893216203841",
    "transaction_ids": [
      "06403856893216203841",
      "06403856893216203841"
    ],
    "type": "webauthn"
  },
  "id": 1,
  "jsonrpc": "2.0",
  "result": {
    "status": true,
    "value": 2
  },
  "time": 1638352635.5786781,
  "version": "privacyIDEA 3.6",
  "versionnumber": "3.6",
  "signature": "rsa_sha256_pss:75bc8354d86f717e93a11b738addcfc45c90669c207412b05a9cbfec50d3edbf73261b396bb91d5c312b37db8cfbabb3b5760468834e4bb5b4555b64bb7ac969566eb4b01c1c3cc8f477c71df2128fcb94d0c38e771f8f0fe066ce4659694eecc7cc0dd9ce03532facf83023f84f32da050f5bdb78c344af1c47bcb6fb890b2969378fdbdd9abfc0a90b46e5943209d4449be10bca44d9d78a2bf4488bd55fd6fec1f16a41d9f5d80db7c65b12ff43c8ae5e29f555e5a50c196607abe5f146d0de45b8c58bde8d982906394e2a831ad1669087eddb4600a37ca7137790937805ef8bf46ac82c2c685f60f5394c2fd9c5f2a5de7f432d370b49742dc1f0fc61a9"
}
2021-12-01 10:58:10,631 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-4) PrivacyIDEA SDK: Sending to /validate/check
2021-12-01 10:58:10,631 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-4) PrivacyIDEA SDK: user=u0045469
2021-12-01 10:58:10,631 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-4) PrivacyIDEA SDK: transaction_id=06403856893216203841
2021-12-01 10:58:10,631 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-4) PrivacyIDEA SDK: pass=
2021-12-01 10:58:10,631 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-4) PrivacyIDEA SDK: realm=esat.kuleuven.be
2021-12-01 10:58:10,631 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-4) PrivacyIDEA SDK: credentialid=JDs6AUjsJrdUj2VwL2filamsXHYTbuLlfwsq6OpFPnWFAlC48MWomdyghMiT8nT3Ghb-qZCpBjWQ20afs9nbfJvVQu-fDZUXkbiFZ_e9LrcseASlJ4Rcqcb0uTkZP5Pa
2021-12-01 10:58:10,631 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-4) PrivacyIDEA SDK: clientdata=eyJjaGFsbGVuZ2UiOiJEMVZDUm1HOUN1T0N2UmFUdjRtX2xUOWtjbUM4QV9pc0d0YjFoNi1Sb0xv
IiwiY2xpZW50RXh0ZW5zaW9ucyI6e30sImhhc2hBbGdvcml0aG0iOiJTSEEtMjU2Iiwib3JpZ2lu
IjoiaHR0cHM6Ly9zc28tdGVzdC5lc2F0Lmt1bGV1dmVuLmJlIiwidHlwZSI6IndlYmF1dGhuLmdl
dCJ9
2021-12-01 10:58:10,631 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-4) PrivacyIDEA SDK: signaturedata=MEYCIQChpe6fG8GkwsLbgta_MLUzflxLyHEpDSEcotwGSY-umQIhALPlN47N8odw1TSOX9xfNE-K
0PDLp5YvzuNtp_hOcvT7
2021-12-01 10:58:10,631 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-4) PrivacyIDEA SDK: authenticatordata=j854s7gdNJHSffDKGDXQT1cJcoOZ8s7ikgfsqCk7B48BAAAENw
2021-12-01 10:58:10,809 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (OkHttp https://sso-test.esat.kuleuven.be/...) PrivacyIDEA SDK: /validate/check:
{
  "detail": {
    "message": "Found matching challenge",
    "serial": "WAN0000E49C",
    "threadid": 139932688971520
  },
  "id": 1,
  "jsonrpc": "2.0",
  "result": {
    "status": true,
    "value": true
  },
  "time": 1638352690.7810771,
  "version": "privacyIDEA 3.6",
  "versionnumber": "3.6",
  "signature": "rsa_sha256_pss:a001d2c44714053603db861c8ab6bd8915917a333eb58bd867dc710f6743aadd439ab1cd5eabab7e98c5b0e709c17b394b1cf091b062bf6b705a379a03162b08e67aa93414c5aa105412e9291dbc90937f5cab737657bb6e6d5946128de7c17e48fc89845cd4f8b909584ee12ae0044a50adca8d0debaf12d27fcb5eb5e3965561a259a7ff65c6114652fc1d6331a4f79e828da5007afb871c703b469244e5ca7afdcdd32620acd0739ecf67901491c5aed729cfea00d6f14f5dce170822b64259013e2508324256039bcad003185ec881bea654edd947972959773ed85224361a4878ca9ae668fe400109e57381a3126e6ab7cee9df2449157e8ec4f0482bc6"
}

The text was updated successfully, but these errors were encountered:

nilsbehlen · 2021-12-01T11:43:52Z

Hi,
this behavior is somewhat "intended". I think the error could be handled better.
Your observation is correct, the provider only passes the first WebAuthn challenge to the browser, so that error comes from passing the wrong challenge to the device.
We currently only use the first challenge because there is not really a good way to destinguish WebAuthn token since the "serial" privacyIDEA gets when enrolling the token is not the serial that is printed on the device. In the future there will probably be support for multiple WebAuthn token, but doing that requires some time to implement a solution that does it properly.

Can i ask you why you use 2 different WebAuthn token?

rtheys · 2021-12-01T12:23:47Z

Hi,

We have users who have multiple keys as they have keys at two different locations and keep them there.

Would it be an option to show the label of the token on the button that now shows "webauthn"? It could then show two buttons if there are two webauthn tokens registered? Maybe that would make it easier to distinguish between the challenges?

Regards,
Rik

nilsbehlen · 2021-12-01T13:25:35Z

Would it be an option to show the label of the token on the button that now shows "webauthn"?

We do not get the token label directly, just the message from privacyIDEA which can be configured but by default contains the token description. However, that is probably the way to do it, but it does not quite fit the current structure of the provider and would require restructuring. There is also an ongoing effort in the privacyIDEA server to improve the communication with the plugins which will also result in a restructuring of the plugins, so that will probably be the time this enhancement will be implemented.

nilsbehlen · 2022-03-25T14:09:58Z

closed by #93

rtheys · 2022-03-25T17:01:58Z

Hi,

Nice to see this will be fixed in a future release. Will it depend on a specific privacyidea server version, or will it work with the 3.6 release?

Regards,
Rik

nilsbehlen · 2022-03-28T08:07:42Z

Hi, it will work with any version of the server.

nilsbehlen changed the title ~~Only the first registered webauthn token works if multiple are configured~~ Support multiple WebAuthn challenges Jan 7, 2022

nilsbehlen added Type: Enhancement New feature (internally/planned) or enhancement of existing feature Type: Feature request External request for new functionality and removed Type: Feature request External request for new functionality labels Jan 7, 2022

nilsbehlen closed this as completed Mar 25, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support multiple WebAuthn challenges #84

Support multiple WebAuthn challenges #84

rtheys commented Dec 1, 2021

nilsbehlen commented Dec 1, 2021

rtheys commented Dec 1, 2021

nilsbehlen commented Dec 1, 2021

nilsbehlen commented Mar 25, 2022

rtheys commented Mar 25, 2022

nilsbehlen commented Mar 28, 2022

Support multiple WebAuthn challenges #84

Support multiple WebAuthn challenges #84

Comments

rtheys commented Dec 1, 2021

nilsbehlen commented Dec 1, 2021

rtheys commented Dec 1, 2021

nilsbehlen commented Dec 1, 2021

nilsbehlen commented Mar 25, 2022

rtheys commented Mar 25, 2022

nilsbehlen commented Mar 28, 2022